Connecting branch or remote offices to the VPN using DSL is a solid solution to a secure connection -- it is essentially a typical IPsec remote access VPN solution. Consider the situation using a Cisco 1760: The router will serve as the VPN's gateway, using DSL to obtain access to the Internet. Every remote host that needs to access the main office network will require Cisco VPN client software and some kind of Internet access. The policies on the Cisco 1760 will need to be configured to permit access by those clients, including user credentials to authenticate each client, and IPsec selectors that determine which hosts/subnets each client is permitted to access inside your main office network.
Another option would be to install VPN hardware at every remote office and set up a site-to-site VPN that connects the remote offices to the main office. Each host would not need its own VPN client software or user credentials, because all clients at each remote office would share the tunnels between remote and main VPN gateways. This makes more sense if everyone at each remote office have the same access to the main office network. However, if only a few clients need access, or permission for individual users needs to vary, then a remote access VPN is more appropriate.
For a remote access VPN, NAT Traversal in the Cisco 1760 and VPN Client software will need to let IPsec traffic be forwarded through remote office router/firewalls, no matter what they might be. However, the router/firewall at every remote office must be configured to permit bi-directional traffic on ports used by the VPN.
Each remote office will need to install appropriately-configured Cisco VPN Client software on every remote host, to identify the username/password for each authorized user, and to train users about how and when to launch VPN clients.
On the Cisco 1760, the Extended Authentication (XAUTH) is probably the logical decision and a policy that defines a pre-shared secret used by everyone in that group. Users can be authenticated locally or an ACS server for user authentication can be used.
This question was asked at Ask the Experts on SearchNetworking.com.